{
	"id": "9cce4f15-4a9c-4f1e-abf3-6f551c273126",
	"created_at": "2026-04-06T00:19:30.170219Z",
	"updated_at": "2026-04-10T13:12:31.861448Z",
	"deleted_at": null,
	"sha1_hash": "d72ead2a71d14c7a7781a96ef829baf1fb8e206a",
	"title": "Back from vacation: Analyzing Emotet’s activity in 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1953760,
	"plain_text": "Back from vacation: Analyzing Emotet’s activity in 2020\r\nBy Edmund Brumaghin\r\nPublished: 2020-11-18 · Archived: 2026-04-05 21:20:13 UTC\r\nWednesday, November 18, 2020 11:00\r\nBy Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.\r\nEmotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of\r\nEmotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails\r\nare typically sent automatically by previously infected systems attempting to infect new systems with Emotet to\r\ncontinue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is\r\ndelivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in\r\nvirtually every country on the planet over the past several years and often leads to high impact security incidents\r\nas the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.\r\nCisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We\r\nleveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes\r\nof observing the characteristics of these email campaigns over time and to gain additional insight into the scope\r\nand profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed\r\ntaking extended breaks over the past few years, and 2020 was no exception. Let's take a look at what Emotet has\r\nbeen up to in 2020 and the effect it's had on the internet as a whole.\r\nEmotet background\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 1 of 12\n\nEmotet began its life as a banking trojan, but over the years, it evolved into what can now be classified as a highly\r\nmodular threat that adversaries leverage for a variety of purposes. In recent years, it has often been used as a\r\n\"beachhead\" in victim networks as it provides initial access and long-term persistence that malicious adversaries\r\ncan use to conduct further intrusion activities from within infected networks. In many cases, it is used as the initial\r\npayload in a multi-stage infection process and can be operational in victim networks for extended periods of time\r\nbefore adversaries choose to leverage the access it provides to further attack organization. This is an important\r\nconsideration for network defenders as system backups may be compromised as a result of long-term infections\r\nthat reside in systems in the environment.\r\nThere are several other malware families that are also often delivered alongside Emotet such as Trickbot, Qakbot\r\nand others. Many network-based ransomware incidents, such as those conducted by the operators of Ryuk\r\nransomware, can be traced back to initial network access gained via Emotet. Over the past few years, Emotet has\r\nperiodically taken breaks from sending spam messages, with periods of inactivity ranging from weeks to months\r\nin several cases. It is important to note that while these periods of inactivity correspond to lack of spam\r\ndistribution, the botnets are typically still operational during these periods and as such, previously infected\r\nsystems can still be leveraged for intrusions.\r\nOrganizations and network defenders should be aware of the threat posed by Emotet and ensure that they have\r\nstrategies in place to prevent compromise, detect infections within their environments, and ensure that their\r\nbackup and recovery strategies compensate for situations in which the malware may have been resident for\r\nextended periods prior to discovery.\r\nSinkholing Emotet SMTP domains\r\nSeveral top-level domains (TLDs) that are widely used across the internet exhibit interesting behavior when\r\nDomain Name System (DNS) resolution is attempted for domains that do not exist or are not actively registered.\r\nIn many cases, the TLDs are configured to resolve non-existent domains to a specific IP address. Whenever the\r\nname servers associated with these TLDs receive resolution requests from clients on the internet for domains that\r\nare not actively configured to resolve to a specific IP address, they respond with a default IP address value,\r\nregardless of whether the domain being queried is invalid or has ever existed. Upon discovering this behavior, we\r\nleveraged the official list of TLDs available from ICANN to determine which TLDs operate in this manner. We\r\nbuilt a list of TLDs that exhibit the aforementioned behavior by rotating through this list of TLDs and requesting\r\nname resolution for domains that do not exist.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 2 of 12\n\nThe table below lists the affected TLDs that we discovered, as well as the IP address that the nameservers return\r\nwhen the requested domain is either non-existent or not otherwise configured for name resolution.\r\nThis DNS behavior allows researchers to leverage technologies like Passive DNS (pDNS) to identify domains that\r\nmay have been valid at one point but are no longer actively registered and maintained. It also enables\r\nidentification and tracking of the volume of name resolution requests for these invalid domains being performed\r\nby various clients across the internet. This is useful for identifying domains that were previously part of domain\r\ngeneration algorithms (DGAs) or otherwise used for various malware operations like command and control (C2).\r\nFor example, the name resolution activity for a C2 domain previously associated with Phorpiex that has since\r\nbeen abandoned, is shown below. While the adversary no longer controls the domain, orphaned bots are still\r\ncontinuing to reach out to it, attempting to establish a C2 channel. Note that it currently resolves to the default IP\r\naddress returned for nonexistent domains in the WS TLD as previously described earlier in this section.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 3 of 12\n\nDuring our analysis of various orphaned domains, we discovered many domains that were used previously for C2\r\nby systems infected with a variety of threats like Dyre, Necurs, StealthWorker, and others. While many of the\r\ndomains we investigated were part of time-based DGAs and not particularly useful, we identified several domains\r\npreviously associated with SMTP servers that systems infected with Emotet use to relay malicious spam\r\nmessages. We obtained ownership of these domains and began sinkholing SMTP communications originating\r\nfrom these infected systems.\r\nSinkholing is the process of redirecting this malicious botnet traffic away from its intended source and into a\r\nharmless destination. This has provided visibility into hundreds of thousands of Emotet emails each month. It has\r\nalso allowed us to determine the scope of the systems sending malicious spam, profile the geographic and industry\r\nmakeup of these systems, and identify organizations suffering from resident Emotet infections.\r\nEmotet activity in 2020\r\nEmotet spent the early part of 2020 churning out large quantities of malicious email in volumes consistent with\r\nwhat has been observed from this threat in recent years. As the COVID-19 pandemic began to spread across the\r\nglobe, malware distributors took advantage of the public's focus on this emerging crisis — and Emotet was no\r\nexception. The use of current events in phishing and malspam lures is not a new technique and has been observed\r\nbeing used by various threat actors as described in detail here.\r\nEmotet occasionally takes periodic breaks from sending malicious spam emails, as seen earlier this year. Starting\r\nin February 2020, Emotet took an extended break from spamming, with low volumes of Emotet spam emails\r\nbeing observed for a period of several months. It spun up again in June with massive amounts of spam being sent\r\nstarting in July and continuing through to the present time, with intermittent pauses along the way. The following\r\ngraph graph shows the relative volumes of spam for each month in 2020.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 4 of 12\n\nA further breakdown shows the volume of spam emails generated by the Emotet botnets on a weekly basis\r\nthroughout the course of 2020.\r\nWe also performed an analysis of the email data that was transmitted by systems infected with Emotet to get a\r\nbetter understanding of the characteristics of these spam runs and the emails themselves. One thing that is\r\nimmediately noticeable is the fact that hardly any spam messages are sent on weekends.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 5 of 12\n\nInterestingly enough, when the botnets are spamming, they are doing so consistently around the clock. The chart\r\nbelow shows the distribution of messages received broken down by the hour of the day in which the transmission\r\noccurred. This shows the consistency with which the messages are transmitted on an hourly basis.\r\nWe identified several interesting characteristics associated with these campaigns. Analysis of the subject lines of\r\nmessages sent by infected systems uncovered several keywords that are used extensively across the different\r\ndistribution campaigns we observed. The use of \"invoice\" as a keyword across emails was the most common by an\r\nextremely high margin, consistent with what is a commonly observed theme to many malspam campaigns seen\r\nacross the threat landscape.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 6 of 12\n\nWhen looking at the top five subjects by volume, a Japanese language subject was found: \"会議開催通知,\" which\r\ntranslates to \"Meeting Notification.\" Typically, we find that the most voluminous subjects use Western languages,\r\nfinding a Japanese example that high on the list was unexpected. In general, Japanese and Korean, although a\r\nsmall percentage, were the most common non-Western languages we observed while analyzing this data.\r\nMost of the emails associated with Emotet feature the use of malicious attachments that function as malware\r\ndownloaders. Opening the attached files and enabling the malicious contents causes them to reach out to the\r\nattacker's distribution infrastructure to download additional malicious content that is then executed on the victim's\r\nsystem, thus infecting it with malware. The overwhelming majority of attachments leverage malicious Microsoft\r\nOffice documents (i.e. DOC, DOCX, XLS, XLSX) however Emotet malspam has also been observed featuring\r\nZIP archives, PDFs, and more. Below is a chart showing the distribution of attachments by file type based on\r\ntelemetry data collected over the past twelve months.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 7 of 12\n\nThere is one other type of email attachment we have seen in campaigns, although not widespread, encrypted or\r\npassword protected files. We found a small amount of these types of campaigns and they are typically used in\r\nconjunction with stolen email threads. One thing to note for these is instead of using basic or simple passwords\r\nthey include relatively complex passwords, which is uncharacteristic for password protected malicious\r\nattachments.\r\nInvestigating the character count distribution associated with malicious attachment filenames shows that there is a\r\nwide range in terms of the approximate length of filenames associated with Emotet malspam, with the most\r\ncommon file names used being 18 characters in length (including the file extension).\r\nEmotet has also been observed distributing emails containing hyperlinks that, when clicked by potential victims,\r\ndirects their system to reach out to the attacker's distribution servers to obtain malicious content to execute,\r\nresulting in malware infection. In most cases, these distribution servers are running WordPress, a content\r\nmanagement system (CMS) that is frequently abused by attackers and used to host malicious components which\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 8 of 12\n\nare used in malware infections. In many cases, the servers used for distribution were running outdated plugins,\r\nthemes, etc., making them attractive targets for compromise.\r\nProfiling infected systems\r\nWhile Emotet is often referred to as a singular threat, it is actually composed of multiple distinct botnets, which\r\nare referred to by the security research community as \"epochs.\" At present, there are three epochs, each with\r\ndistinct supporting infrastructure for various malware operations like C2. In analyzing the SMTP sinkhole data we\r\ncollected, we identified infected systems from each of these three botnets attempting to transmit malicious spam\r\nusing our newly acquired domains.\r\nWe identified infected systems located in more than 200 different countries. This highlights how widespread\r\nEmotet's reach is, affecting virtually every country in the world. Below is a map showing the geographic regions\r\nassociated with the largest number of infected systems that we observed.\r\nWe also analyzed the network providers associated with these infected systems to determine what ISPs were most\r\ncommonly affected. The graph below shows the top ASNs we observed sending malspam.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 9 of 12\n\nIt is important to note that the distribution of systems infected by Emotet is constantly changing, as existing\r\ninfections are removed and new ones are added. We analyzed the botnet distribution over the course of the past\r\ntwelve months and tracked these changes over time. This long term geographic distribution over time can be seen\r\nin the graph below.\r\nEmotet is a heavily distributed threat that has wide-ranging impacts on a variety of different industries and\r\ngeographic regions. Malicious activity associated with this threat has continued throughout 2020 and will likely\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 10 of 12\n\ncontinue for the foreseeable future.\r\nConclusion\r\nEmotet is a constantly evolving threat that poses risks to organizations all over the world. Large volumes of\r\nmalicious spam emails generated by systems infected with Emotet are constantly being sent in an attempt to infect\r\nadditional systems and provide persistent network access that can be used for a variety of nefarious purposes.\r\nOrganizations should be aware of this threat as it continues to change over time and ensure that they have\r\nstrategies in place to protect their environment from the impacts of successful infection. In many cases, Emotet is\r\nthe initial stage of a multi-stage infection process that often features use of additional malware payloads. Since\r\nEmotet can be present in environments for extended periods of time prior to discovery by security teams, it is\r\nessential that organizations develop comprehensive backup and recovery strategies that can compensate for these\r\nsituations prior to an incident occurring. This approach to cybercrime continues to be lucrative for cybercriminals\r\nand as such is likely not going away in the foreseeable future. Cisco Talos will continue to monitor this threat to\r\nensure that customers remain protected as it continues to change and evolve over time.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 11 of 12\n\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nSource: https://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/11/emotet-2020.html"
	],
	"report_names": [
		"emotet-2020.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d72ead2a71d14c7a7781a96ef829baf1fb8e206a.pdf",
		"text": "https://archive.orkl.eu/d72ead2a71d14c7a7781a96ef829baf1fb8e206a.txt",
		"img": "https://archive.orkl.eu/d72ead2a71d14c7a7781a96ef829baf1fb8e206a.jpg"
	}
}